Have a questios? FortiOs

HenleyAndersen · ‎12-05-2021

Hi all,

have a question..

there is an old bug in FortiOS and FortiManager that allows you to set too long Phase1 names. This can cause problems wenn the FGT runs out of space on creating new dialup instances due to enumeration

So how can I flush those enumerations the have FortiOS start anew at 0 (even if this means shutting down all currently dialled in instances to avoid enumeration conflicts)? 192168101.win 100001.dev routerlogin.win

ede_pfau · ‎12-07-2021

Hi,

you can 'flush' the VPN tunnel by CLI:

diagnose vpn tunnel flush my-phase1-name

See https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-flush-a-VPN-tunnel/ta-p/196631?exte...

But of course the way to fix this is to re-create the tunnel with a shorter phase1 name. I think the limit is 15 chars, and is well known/documented. So, 13 chars for the name plus "_0" for up to 10 users. Unfortunately, the max number of users will only be displayed on an existing tunnel.

For a tunnel already in use, deleting and recreating can be cumbersome. The way I do this:

- save the config to disk

- search & replace the phase1 name to something shorter

- restore this config file to the FGT - this will REBOOT the firewall!

Last time I checked this, I created a dialup tunnel in GUI and it displayed a warning when I entered 14 chars:

Ede Kernel panic: Aiee, killing interrupt handler!

Have a questios? FortiOs

Nominate a Forum Post for Knowledge Article Creation